PetSmart Notifies Customers of Cyberattack

PetSmart has recently informed its customers of a credential stuffing attack, prompting an immediate reset of passwords for affected accounts. The pet retail giant currently has over 60 million customers.

The attack leveraged usernames and passwords exposed in prior breaches to gain unauthorized access. In response, PetSmart took proactive measures, stating the following in an email sent to affected customers, as reported by BleepingComputer: "In an abundance of caution to protect you and your account, we have inactivated your password on petsmart.com".

Once a threat actor compromises an account in a credential stuffing attack, it can be used to make fraudulent purchases and send spam, or as a platform for further attacks. It’s also common for threat actors to sell such compromised accounts to other cybercriminals.

Credential stuffing attacks are not new and have targeted various companies in the past. PetSmart's recent experience underscores the persistent threat of hackers in the digital landscape. Stating that “fraudsters are constantly trying to obtain user names and passwords," PetSmart advised its customers to use strong, unique passwords and to vigilantly monitor account activity.

PetSmart also clarified in its email alert that there is no indication that its website or any of its systems were compromised, with the attack only seeming to affect customer accounts.

This incident isn’t the only one that’s currently affecting American shoppers — we recently reported on a breach that leaked American Express card details. Not only does the American populace have to worry about hackers, but the violation of their privacy by federal agencies, with the recent revelation that the NSA has been purchasing American’s browsing data without a warrant.